From fc189c0865f3eb4769855f6dfc3e3a676ba8be06 Mon Sep 17 00:00:00 2001
From: Johannes Rothe <mail@johannes-rothe.de>
Date: Tue, 19 Nov 2024 21:36:50 +0100
Subject: [PATCH] Add lldap and use for authelia

---
 vps-configuration.nix | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/vps-configuration.nix b/vps-configuration.nix
index b73c033..862663a 100644
--- a/vps-configuration.nix
+++ b/vps-configuration.nix
@@ -13,7 +13,9 @@
   };
 
   environment.systemPackages = with pkgs; [
+    authelia
     curl
+    vim
   ];
 
   networking.hostName = "tien";
@@ -50,6 +52,28 @@
         #file = {
         #  path = "/var/lib/authelia-main/users_database.yml";
         #};
+        password_reset.disable = false;
+        refresh_interval = "1m";
+        ldap = {
+          implementation = "custom";
+          url = "ldap://localhost:3890";
+          timeout = "5s";
+          start_tls = false;
+          base_dn = "dc=accounts,dc=johannes-rothe,dc=de";
+          additional_users_dn = "ou=people";
+          users_filter = "(&({username_attribute}={input})(objectClass=person))";
+          additional_groups_dn = "ou=groups";
+          groups_filter = "(member={dn})";
+          display_name_attribute = "displayName";
+          username_attribute = "uid";
+          group_name_attribute = "cn";
+          mail_attribute = "mail";
+          # "bind_user" should be the username you created for authentication with the "lldap_strict_readonly" permission. It is not recommended to use an actual admin account here.
+          # If you are configuring Authelia to change user passwords, then the account used here needs the "lldap_password_manager" permission instead.
+          user = "uid=bind_user,ou=people,dc=accounts,dc=johannes-rothe,dc=de";
+          # Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
+          password = "REPLACE_ME";
+        };
       };
 
       access_control = {
@@ -125,6 +149,9 @@
       "www.johannes-rothe.de".extraConfig = ''
         reverse_proxy base:11112
       '';
+      "accounts.johannes-rothe.de".extraConfig = ''
+        reverse_proxy localhost:9095
+      '';
       "auth.johannes-rothe.de".extraConfig = ''
         reverse_proxy localhost:9091
       '';
@@ -154,6 +181,16 @@
     };
   };
 
+  services.lldap = {
+    enable = true;
+    settings = {
+      http_host = "127.0.0.1";
+      http_port = 9095;
+      http_url = "https://accounts.johannes-rothe.de";
+      ldap_base_dn= "dc=accounts,dc=johannes-rothe,dc=de";
+    };
+  };
+
   services.searx = {
     enable = true;
     redisCreateLocally = true;